Ssl errors on puppet client-

Hi,

Fresh install of Foreman 2.0, newly built Centos7 workstations:

If I run puppet agent -t on the client I get the below, also not seeing reports for this client within Foreman

Thanks.

[root@work-07-test ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman01.ff.XXX.com/pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman01.ff.XXX.com/plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: bc23a65c918e94]

Which versions of Puppet are you using? Probably Puppetserver 6 and Puppet-agent 3 which will not work out-of-the-box as Puppetserver 6 introduces an intermediate CA which Puppet-agent 3 is not capable to understand.

Hi Dirk,

That looks right
Puppetserver 6.11
Puppet-agent 3.6.2

How do I resolve that?

Best thing would updating agents, but there is also a away to regenerate the CA to a flat one. I can not find the exact documentation at the moment, but it has to be somewhere here:
https://puppet.com/docs/puppet/latest/ssl_certificates.html